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Abstract 

In this article, we discuss a flow-sensitive analysis of equality relationships 
for imperative programs. We describe its semantic domains, general purpose op- 
erations over abstract computational states (term evaluation and identification, 
semantic completion, widening operator, etc.) and semantic transformers corre- 
sponding to program constructs. We summarize our experiences from the last 
few years concerning this analysis and give attention to applications of analysis of 
automatically generated code. Among other illustrating examples, we consider a 
program for which the analysis diverges without a widening operator and results 
of analyzing residual programs produced by some automatic partial evaluator. An 
example of analysis of a program generated by this evaluator is given. 

Keywords: abstract interpretation, value numbering, equality relationships for 
program terms, formal grammars, semantic transformers, widening operator, au- 
tomatically generated programs. 



Introduction 



Semantic analysis is a powerful technique for building effective and reliable program- 
ming systems. In |17l 1181 116j we presented a new kind of a semantic flow-sensitive 
analysis designed in the framework of abstract interpretation jSJ IIOL lll| . This analy- 
sis which determines an approximation of sets of invariant term equalities ti — t2 was 
called the analysis of equality relationships for program terms (hereinafter referred to as 
ERA). 

Most traditional static analyses of imperative programs are interested in finding the 
(in)equalities of a specific kind (so-called value analyses; only they are discussed here) 

* This work was partly done when the author was in Laboratoire d 'informatique, Ecole polytechnique 
(Palaiseau, France) and Ecole normale superieure d'ingenieur (Bourges, France). 
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describing regular approximations (i.e. they have simple mathematical descriptions and 
machine representations) of sets of values: convex polyhedrons/octahedrons/octagons 
[T^ 1771 ESI IH] I afhne [221 12^] and congruent |^ |^ hyper-planes, their non-relational 
counterparts ESI 12^1 OH] as well, etc. They are carefully designed to be reasonable 
(i.e. they express non-trivial semantic properties) and effectively computed (i.e. there 
are polynomial algorithms to handle them^) but "regular" nature does not allow them 
to treat well programs with irregular control/data- flows. Hence of special interest is 
investigations of approximations based on sets of terms which can have potentially 
arbitrary nature, i.e. they could be powerful (due to their irregularity) but effectively 
computed. One well known example is the set-based analysis [211 El • 

In our case, terms represent all expressions computed in programs. This enables the 
analysis to take into account different aspects of program behavior in a unified way. A 
such unified treatment of all semantic information allows the analysis to improve its 
accuracy. This does not mean that ERA is a generalization of all other value analyses 
(except the constant propagation one), because they use different approaches (semantic 
domains and transformers) to extract effectively and precisely the limited classes of 
semantic properties. In general, the results of the analyses are not comparable. 

ERA provides interesting possibilities for gathering and propagating different in- 
variant information about programs in a unified way. This information can be used 
both for verification and optimization purposes. The second is especially interesting for 
automatically generated programs: residual, i.e. obtained in the process of the partial 
evaluation, and synthesized from high-level specifications. Due to nature of automatic 
generation processes, such programs have specific control flows (for example, hierarchy 
of nested conditional statements with specific conditions; in the case of residual pro- 
grams this hierarchy is more deep as "degree" of the partial evaluation increases) that 
can be successfully optimized on base of gathered invariant information. 

Besides the peculiarity of ERA mentioned above, let us discuss some common prop- 
erties of the semantic analyses. Such taxonomic properties of the analysis algorithms 
as the attribute (in)dependence, context (in)sensitivity, flow (in)sensitivity, scalability 
and some other properties are well known. However, it is the author's opinion that a 
notion of ^Hnterpretability of a semantic analysis" has not been considered adequately 
yet. Here the interpretability of analysis means how extensively the properties of prim- 
itive operations of the language (arithmetical, logical, etc.) and type information are 
allowed for analyzing and can be handled when the analysis works. 

One extreme point of view on the interpretability is an approach accepted in the 
"pure" program scheme theory where no interpretations of functional symbols or type 
information are allowed^. Unfortunately, the results obtained under this approach are 
not reasonably strong. Nevertheless, it must be underscored that ERA dates back to 
V. Sabelfeld's works in the program scheme theory |39l BH] . Another extreme leads to 
the complete description of the program behavior that is also not workable. Obviously, 
it is closely allied to its flow sensitivity (ignoring some part of semantic information 

^ An example of this sort is an approximation of value sets by conic shapes that has only one "com- 
putational disadvantage" : semantic transformers involve algorithms known to be A^P-hard. Proposed 
in 13 many years ago it did not gain ground. 

^More precisely, there exist some works in the program scheme theory where some semantic inter- 
pretations of functional symbols (like commutativity of superposition fog = gof, etc.) are considered. 
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does not allow us to treat precisely some control flow constructs of analyzed programs) 
and its scalability (attempts to take into account large quantity of semantic properties, 
for example, using some theorem prover which is invoked while an semantic analyzer 
works and deduces new properties, can lead to combinatorial explosion for abstract 
computational states). 

It is possible that the interpretability has not been highlighted enough, because most 
of analysis algorithms take into account the limited classes of primitive operations and 
type information and they cannot be enriched in some natural way. For example, an 
interval analysis is not able to incorporate congruence properties in some natural way, 
etc^. Essentially another case is ERA where we have a choice to handle expressiveness 
of the analysis. We intend to illustrate the notion of "interpretability of analysis", its 
importance and usefulness on this example of analysis. 

Among the analyses closely related to ours we would like to point out the following. 
A semantic analysis for detection of equalities between program variables (and simple 
relationships among them) was described in [2]. It makes a list of sets of variables 
discovered to be equal by using the Hopcroft's partitioning algorithm for finite-state 
automata. This algorithm being quite efficient is not however precise enough. Further 
value- numbering techniques were developed in |38[ 12 11 1^ . These algorithms demon- 
strate that adequacy of value numbering is resource-consuming. For example, in the 
last case time complexity of the algorithm is 0{k^jN) where fc is a number of program 
variables, j is a number join-points, and N is program size. 

Another important example is the set-based analysis ^3 mentioned above. Here 
approximating sets of terms are found with resolving some system of set-theoretical 
equations. Formal grammars were used for an analysis of recursive data structures of 
functional languages (see, for example, Formal languages were applied to coding 

of memory access paths in ^3 S2] and values of program variables in the set-based 
analysis. ^| established common foundations connecting and generalizing different 
approaches using formal languages to represent semantic properties. Of course, we 
should mention techniques from the automatic proof theory and the term rewriting 
theory which can be widely applied both at the analysis stage to improve its accuracy 
and the post-processing stage to present its results to the user. 

This article is organized as follows: In Sections 11.11 and 11.21 we describe the se- 
mantic properties, concrete and abstract, respectively, which are considered in ERA. 
In Section 11.31 we discuss some basic operations over the semantic properties used to 
define the semantic transformers which are next presented in Section El In Section 
131 we consider a widening operator and the complexity of ERA is discussed. Finally, 
Section 131 describes processing of ERA invariants and presents some results of our ex- 
periments with ERA. In Appendix an example of analysis of some residual program 
is considered. 

^Of course, it is possible to use sophisticated approaches for combinations of analyses but it intro- 
duces complicated problems under implementations and it is not an enrichment of original ones. 
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1 Properties of interest 



1.1 Concrete properties 

A usual choice for the description of the operational semantics is a specification of some 
transition relationship on the pairs < control point, state of program memory> (see, for 
example, |3U[ \22\ ) where the states of program memory are described by mapping the 
cells of memory into a universe of values. Here variables (groups of cells) and their values 
(constants) are in asymmetric roles. Another example of "asymmetry" : manipulations 
over the structured objects of programs (arrays, records etc.) are not so transparent 
as over the primary ones. To describe the operational semantics for ERA, we used 
another approach. All objects of a program are considered to be "identical" in the 
following meaning. 

Let CV be a set of 0-ary symbols representing variables and constants. The last ones 
may be of the following kinds: scalars, compositions over scalars (i.e., constant arrays, 
records, etc.), names of record fields, and indefiniteness. Let be a set of n-ary 
(functional) symbols which represent primitive operations of programming languages: 
arithmetic, logic, type casting, and all the kinds of memory addressing, as well. Let T31S 
be a set of well-formed terms over CV and J'T, hereinafter referred to as program terms. 
They represent expressions computed during execution of a program. So, as a state 
of program memory we take a reflexive, symmetrical, and transitive relationship (i.e., 
equivalence relationship) over TiKS. The relationship defines some set of term equalities 
which we use to describe the operational semantics and call a computation state. 

Suppose that the following code 

var x,i,j : integer; a : array [1..3] of integer={l,2,3}; 

i:= 3; 

j := i-1; 
if odd(x) then 
i := i mod j; 

j := 1; 

else 

j — a[i]; 
a[i] := a[l]; 
:=j 

end 

Example 1 

is executed at least twice for the different parities of the variable x. In Table U static 
semantics for five control points is given. We present a minimum^ subset of term 
equalities concerning dynamic behavior of the piece. We shall use the property TT (see 
Table ^ to illustrate our further reasoning. 

■^A set of equalities can be completed with any number of consistent equalities. 
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THEN-branch 



ELSE-branch 



a[l] = l,a[2]=j=2,a[3]=i=3, 



a= 1 2 3 ,ODD(x)=TRUE 



a[l ]=l,a[2]= j=2,a[3]=i=3, 

2 I 3 |,ODD(x)=FALSE 



a[l ]=i=j=l, a[2]=2,a[3]=3, 
a=| 1 I 2 I 3 |,ODD(x)=TRUE 



a[l]=i=j=3,a[2]=2,a[3]=l, 



3 2 1 ,ODD(x)=FALSE 



TT 



EXIT OF IF-STATEMENT 



a[l ]=i=j=l, a[2]=2,a[3]=3, 
a=| 1 I 2 I 3"|,ODD(x)=TRUE 



a[l]=i=j=3,a[2]=2,a[3]=l, 



3 2 1 ,ODD(x)=FALSE 



Tabic 1: Description of collecting semantics for Example 1 (here the constant 



ci C2 C3 represents constant arrays). 
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Equality 
relationships 



Grammar 
representation 



Functional net 
representation 



a = h{y) S - 

x = f{a,y) Ai 

x = f{h{y),y) A2 

f{a,y)^f{h{y),y) A3 



Ax = Ai\A2 = = A3 

^x\f{A2,A3) 

^a\hiA3) 

^ y 




Figure 1: Semantic properties and their representations. The set of equalities does not 
contain trivial equalities like x = x and equalities given by the symmetry of the equality 
relationship. 



Formally it is described as follows. Let £QS be a set of all equalities of the terms 
from T3l§, i.e., £Q§ = {ti = \ t\,t2 & T31S}. A set S" e p(£QS) is a computation 
state interpreted in the following way. For each equality ti — tj ^ S values of the 
expressions represented by U and tj must be equal at this point for some execution 
trace. We take the set p(p(£Q§)) as a set for a concrete semantic domain describing 
the collecting semantics of ERA. So, an element of the concrete semantic domain is a 
set of computation states. For a particular point in a particular program it is a set of 
computation states each of them corresponds to some execution trace in the program 
that reaches this point. 

Properties considered in ERA are presented by means of context-free grammars 
G = (N, T, y, S) where 3\f is a finite set of nonterminals denoted by capital letters, 
5* e 3Nf is the initial symbol of the grammar G, T = CV U ^FCP U{(, ), =, ^jisa finite 
set of terminal symbols, and ? is a finite set of grammar rules. We do not give their 
precise description because we shall use quite simple machinery from formal languages 
theory that is not an object of considerations itself and serves for demonstrations. We 
could use functional nets language as well but it is rather machine-oriented and is 
not widely used. We expect that all these descriptive ways become apparent from the 
examples on Figure^ and further ones. 

In that way, a state of computation is represented by a language L(G) generated by 
some grammar G of the described form. If for ^ e Tsf : 
A^ti A A^t2, i.e. ii = t2 e L(G), we say that the nonterminal A and the lan- 
guage L{G) know the terms ti, t2- Obviously, such a grammar representation has 
some superfluous "syntactic sugaring" . We can use S ^ A rules only and say about 
A-nonterminals as classes of equal values. 

Evidently we may suppose that the set of rules ? does not contain rules having 
identical right parts. It is convenient to consider the grammars which do not contain 
useless and redundant nonterminals and rules. A rule is useless if it produces only 
one term (the language knows only a trivial equality like t — t) and this term is not an 
argument of other terms. A nonterminal is useless if it does not participate in derivations 
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of sentential forms pp. Such grammars can arise as result of operations on grammars. 
If nonterminals and rules are useless or redundant it is possible to remove them (see 
Lemma This operation called state reduction consist in detecting and removing 
a set of useless/redundant nonterminals/rules. They are revealed with the well-known 
incremental markup algorithms (see, for example, PP). 

For illustrating purposes we shall use special functional nets for these grammars. 
Here nonterminals are represented by ovals containing 0-ary and functional symbols 
from right parts of rules. Arcs from functional symbols to ovals represent argument 
dependencies ordered from left to right (see Figure ^ . 

1.2 Abstract properties 

It is an interesting peculiarity of ERA that abstract (i.e. approximate) properties have 
the same nature as the computation states of the operational semantics. Formally this 
approximation is defined as follows. 

1.2.1 lYmctions of abstraction and concretization 

Given a concrete property tt g p(p(£Q§)) and an abstract property tt g p(£Q§), the 
abstraction function a : p(p(£Q§)) p(£Q§) and the concretization one 7 : p(£QS) 
p(p(£Q§)) are defined in the following way 



where U is the set -theoretical union on p(p(£Q§)) and 3 and n are the set-theoretical 
inclusion and intersection of the languages (i.e. on p(£Q§)) respectively. We take the 
empty language as infimum _L' (there are no computed expressions) of the semi-lattice 
of abstract semantic properties. The supremum T' (an inaccessible computation state) 
is the language containing all possible equalities of program terms. Also C is the set- 
theoretical inclusion on p(p(£QS)) 

Lemma 1 The abstraction function a is monotonic. 

Proof The function a is monotonic iff V7ri,7r2 £ p(p(£QS)) : 7riC7r2 ^ 
a(7ri)DQ!(7r2). Because 7riC7r2, then 7r2 — 7riU(7r2 \ tti). So, we have a(7ri)D 
a(7riU(7r2 \ tti)) = a(7ri) n a{n2 \ tti) = Q!(7ri) ("1 (Hsg^^y^jS'). Q.E.D. 
7(7r) is the most imprecise element of p(p(£Q§)) that can be soundly approximated 
by 71" e p(£Q§). For the example of Table ^ the best approximation of the concrete 
property 7T is 




otherwise 





(*) 
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(WW ) (WW) 




Figure 2: Intersection of computation states. 
1.2.2 Intersection of ERA languages 

Finding of the intersection of context-free languages is an undecidable problem in the 
general case. In our case, for the languages of term equalities, an algorithm exists (see 
an example at Fig. It is similar to constructing a Cartesian product of automata. 

Algorithm. Intersection of two languages of term equalities. 
Input: grammars Gi = (J^i, T, Ti, Si) and G2 = (3^2, T, ^2, S'2). 
Output: grammar G {3^, T, T, S) such that i(G) = L{Gi) H ^(Gs). 
Description: 

1. Let N = {{Ni,N2)\Ni e & iVa e K2} = x K2. 

2. The set of rules 7 is defined as follows: 

• The rule {Ni,N2) ^ t is introduced if and only if i e CV & Ni ^ t e 
Ti & N2^te 72- 

• The rule {Ni, N2) t{{Nl, N^), . . . , {N^,N^)) is introduced if and only if 
i e J-y & iVi ^ t{Nl . . . , iVf ) e & N2^ tiNl . . . , iV|) G ?2. 

3. Add rules S {Ni, N2) = {Ni, N2) for the initial nonterminal S* of G and for all 

TVl G?^l\{5i},7V2 GD^2\{52}. 

4. Apply state reduction. 

The described algorithm of intersection is very "naive" and impractical. To improve 
it we should choose a more efficient strategy for generating functional symbols. To do 
this we first do a topological sorting of the functional symbols appearing in the right 
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parts of rules; intersect the ary symbol sets; and then generate the next functional 
symbol in conformity with its topological order if and only if all arguments of this 
symbol already exist in the new grammar. For practical cases this intersection can 
be done in an linear average time with respect to grammar size and linear space. It 
demands quadratic time in the worst case. 

1.3 Operations over semantic properties 

Now we shall discuss some basic operations over semantic properties 
■d . I" : p(£QS) p(£QS) used to define the semantic transformers of ERA. For all 
•il . } the notation L{| . {-{I . } means . |[){| . j. 

1.3.1 Removing terms 

Operations over abstract computation states use certain common transformation of the 
sets of term equalities which consists in removing some subset L' . The following 
statement holds. 

Lemma 2 Removing any subset of term equalities preserves correctness of an approx- 
imation. 

Proof It easy to see that 

U{ TT I a(7r) ^ TT } = 7(7r) C \ L') = U{ tt | a(7r) 3 (S- \ L) } = 

U{ TT I f] (LUL') D 7f }, 

which states that removing term equalities makes the approximation more rough but it 
does preserve its correctness. Q.E.D. 

For (*), for example, j{{a[l] = i=j, a[2] = 2})C7({a[l] = i}). 

We shall write L{| 1 1} and L{| J, T} for single term and term set removing followed 
by the state reduction operation defined above. 

1.3.2 Term evaluation 

We define the abstract semantics for an evaluation of a term in an abstract com- 
putation state. The result of the term evaluation is a state knowing the evaluated 
term. 

Term evaluation L^t}. 

1. Ut = tGL, then Lf^tj = L. 

2. Otherwise, if t G CV, then add the new rules S ^ A = A and A ^ t to the 
grammar G, where ^ is a nonterminal which does not exist in G. 
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W{g{a,x),!{h{v),h))} 
Figure 3: Term evaluation. 



3. Otherwise, if t = /(ti, . . . , tn) where / G CF5' is a fimctional n-ary symbol and the 

sub-terms ti, . . . ,tn have been calculated (i.e. there exist derivations Ai^ti, . . . , An^tn), 
then add the new rules S ^ A = A and A f{Ai, . . . , An) to the grammar G, 
where A is a nonterminal which still does not exist in G. 

To improve; an accniracy of analysis we can take into account, for example, the com- 
mutativity of primitive operations. If L knows f{ti,t2) and / is commutative then 
LUit2,h)l=L. 



1.3.3 Identification of terms 

When the standard semantics defines that during program execution values of computed 
expressions are equal, we can incorporate this information in the computation state (but 
it can also be left out). Identification of terms transforms the state into a new one 
incorporating this information. For example, we know that a value of a term representing 
the conditional expression of an IF-statement coincides with 0-ary terms representing 
the constants TRUE or FALSE when, respectively, THEN-branch or ELSE-branch 
is being executed. So, identification of terms along with semantic completion considered 
below provides powerful facilities to take into account real control flow in programs. 



Identification of terms L^ti =t2}- 

1. Uti=t2€L then Lf\ti = t2l = L. 

2. Let Ai^ti and A2^t2- We replace the nonterminal A2 by the nonterminal Ai 
in all rules of CP. If rules with an identical right side Bi w, . . . ,Bk w 
have appeared, then a certain nonterminal from the left sides of the rules (for 
example Bi) must be taken and all nonterminals B2,. . ■ ,Bk in the grammar must 
be replaced by it. 
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L L\x = b\ 



Figure 4: Identification of values of terms. 

3. Repeat step 2 until stabilization. If after that we have a state L' containing 
inconsistent term equalities^ then the result is T' else it is a reduction of L' . 

An example of identification is given in Figure |3| 

Lemma 3 Identification of values of terms is a correct transformation and the resulting 
state is unique. 

Proof 

Let TT = { Li I Li G p(£Q§) } be a concrete semantic property which holds before 
identification of terms ti and ^2- If the values of ti and t2 are equal in the concrete se- 
mantics VLi : ti = <2 G Li, then they are equal in the abstract semantics ti = t2 (z a(7r), 
too. If their values are not equal, then identification gives us an inconsistent computa- 
tion state which obviously includes L^ti = t2} for all ti and ^2- So, this transformation 
is correct. 

Identification is done in finite steps because the size of grammar decreases at each 
step. Uniqueness of the resulting state is explained by the following observation. If we 
have two pairs of terms which are candidates for identification, then identification of one 
of them does not close a possibility of it for another, because we remove a duplication 
of the functional symbols only. In fact, after identification of a pair of terms we obtain 
a new state, including the source one, and thus other existing identification possibilities 
remain. So, the order of "merging" of term pairs is not important for the resulting 
state. Q.E.D. 

1.3.4 Semantic completion 

We have not yet considered any interpretation of constants and functional symbols. 
We could continue developing ERA in the same way. As a result we shall obtain a 

^There exists a wide spectrum of inconsistency conditions. The simplest of them is an equahty of 
two different constants (see Section ll.a.4l for the further discussion). 
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Co(L) 

Figure 5: Semantic completion. 



noninterpretational version of the analysis likewise analysis algorithms in the program 
scheme theory. However, it is natural to use semantics of primitive operations of the 
programming language of interest in order to achieve better accuracy. 

ERA provides us with possibilities of taking into account properties of language 
constructs, and, what is especially important, we can easily handle complexity of these 
manipulations. In fact, inclusion of these properties corresponds to carrying out some 
finite part of completion of the computation states by consistent equalities. This manip- 
ulation is called semantic completion (about "conjunctive/disjunctive completion" 
see mi)- 

As a basic version of semantic completion Co we take computations over constant 
and equal arguments. When we detect that some term t has some specific value v then 
Co(L)=L|t = v}. Also, it is possible to apply identification involving dependencies 
among result of an operation and its arguments: if {ti AND ^2) = TRUE G L then 
Co{L)^Ljti = TmjE\\t2 = TRUE} etc. This identification process is iterative be- 
cause new possibilities for identification can appear at the next steps. It is conceivable 
that in doing so we shall detect inconsistency of a computation state. In this case result 
of semantic completion is T'. 

This version can be extended by some intelligent theorem prover inferring new rea- 
sonable equalities and checking inconsistency of computation states. Such combining of 
analysis with proofs offers powerful facilities to the analyzer (see |2H1E1) and, as it was 
mentioned in the previous works, this prover is reusable for consequent (semi-)automatic 
processing of results of the analysis. "Size" of used completion can be tuned by options 
of interpretability of the analyzer. 

Some arithmetical errors (such as division by zero, out of type range etc.) will appear 
during the semantic completion. In this case the analyzer tells us about the error and 
sets the current computation state to T'. Notice that for the languages where incomplete 
Boolean evaluation is admissible semantic completion over Boolean expressions should 
be carefully designed especially in presence of pointers. 

An example of semantic completion is presented in Figure |5l Turning back to the 
identification example at Figure |4l we consider the following interpretation of constants 
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and functional symbols: g is the exclusive disjunction, / is the negation, a is the constant 
TRUE and b is the constant FALSE. It is easy to see that in this case application of 
semantic completion gives us L^x = 6|[ = T'. 

In our analyzer we implemented an interpretational version of ERA which uses 
semantic completion Co(L). Under this approach, the definitions of the basic transfor- 
mations mentioned above are changed to the following: 

lW = Co(L^4), 
L)^h=t2l' = Comh=t2l). 

In short, we shall omit this "interpretability" prime. 

2 Semantic transformers 

In this section we describe semantic transformers [.] : p(£Q8) — > p(£Q§) corresponding 
to common statements existing in imperative programming languages. If for a statement 
S an input computation state is L then L|5'] is its output computation state. For all 
|.] the notation L|.]|.] means 

2.1 Assignment statement 

Among all program terms considered in ERA we can pick out access program terms 
including array eZm, record fld, and pointer val referencing and playing an important 
role in determination of effect of an assignment statement. As in |15[I42| our abstraction 
of program memory manipulations is storeless and based on notion of memory access 
paths represented by access program terms. For example, for an address expression 
bar[i][j]'.foo the access term is fld{val{elm{elm{bar, i),j)),foo). 

We shall assume that no operations other than memory addressing (for example com- 
parisons) are allowed for structured variables such as arrays and records. So, for the pre- 
vious example neither a and elm(a,i) (^[i]) nor 
val{elm{elm{a,i), j)) (a[i][j]') can appear as arguments for operations other than elm 
and fid respectively. This limitation allows us to simplify definition of our assignment 
statement abstraction^. 

To preserve safety of the analysis we have to take into account memory aliasing 
appearing in programs. Two access terms are alias if they address the same memory 
location. In the general case ERA is inadequate itself to handle precisely all kinds 
of aliasing and we should use other analyses. Next it is assumed that for each access 
term ta we know a set A(ta) of access terms covering a set of aliases for ta (may-alias 
information about ta). Let 

A{ta,L{G)) ^ (yi(^,) n ev ) u {/ g | A^f{...) a f{...)eA{ta)} 

^Otherwise we have either to accept that each assignment to some structured variables destroys 
all equalities involving other components of it or to implement some strategy (for example copying) 
preserving useful and safe access terms. 
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("roots" of memory access terms in A{t a))- Notice that flow-insensitive approximations 
of alias information may cause conservative results of ERA. Therefore ERA and alias 
analyses used in its implementation should have the same sensitivity to the control flow. 



Assignment statement Llv :— expj. 

1. In the state L evaluate exp using evaluation transformer formally defined earlier 
in Section ll.3.21 Let L' be a result of the evaluation and let E he a nonterminal 

such that E^exp. 

2. Perform L'-J J, A{v, L')}. Do not remove E. 

3. Add the term v so that E^v. 

Unfortunately, in some cases this abstraction of the assignment statement fails 
as before. For example, this assignment transformer corresponding to x:=x+l and 
being applied to the state L = {{x > 0) = TRUE} gives only the trivial identity 
Llx := X + IJ — {x = x} . To improve accuracy of the analysis in these cases we can 
consider "artificial" variables associated with scalar variables of the program which will 
store previous values of the original ones. Under this approach between first and second 
steps of the assignment statement effect definition we should insert the step 

Let A V and B ^ v' where v' is associated with v. Remove the second rule and 
add A ^ v' ii it is needed. 

Under this approach we shall have Llx := x + 1] = {{x' > 0) = TRUE,x = a;' + 1} 
from where we can deduce that x > also. 

2.2 Other transformers 

• Program. 

Given a program 
PROGRAM; 

VAR X : T; {* variables *) 
BEGIN 

S (* statements *) 



END. 



we can define the following transformer corresponding to it 



±'lPROGRAMj = ±'lx:= ujjlSj 



where u; represents the indefinite value. Notice that lu is not a constant. 



Empty statement. 



L 



Sequence of statements. 
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Read statement. 

LlREAD{x)j = LixH i Ai^j 

Notice that if for read statement as well as for other statements some set of user's 
pre- or post-assertions represented in the form of equalities of program terms is 
supplied then the analyzer can take them into consideration to check consistency 
and to include in the current computation state. 

Write statement. 

LlWRITE{x)] = L^xj 

Conditional statement. 

IF p THEN St ELSE Sf END. 

If L' = L^pj then 

LlIFj = LIp = TRUEllStjnL'^p = FALSEUSfj. 

Cycle statement. 
CYCLE 

S (* body of cycle *) 

END 

where S is a composed statement that possibly contains occurrences of exit-of- 
cycle statements EXIT^. When the sequence 

Lo^L, L„==L„_i|S'] for n>0 

becomes stabilize 

LlCYCLEj = HkEk 

where Ek is a stationary entry state for EXITk. If this process does not become 
stabilize then some widening operator should be used (see Section 

Halt, exit and return statements . 

LfEXIT] = LfRETURNj = T' 

Call of function. We assume that return of results of function calls is implemented 
as an assignment to variables having the same names as invoked functions (con- 
nection with their call sites should be taken into account). The function bodies 
may contain RETURN statements as well. 

FUNCTION F(x: Ti) : T; 

VAR y: T2; (* local variables *) 

BEGIN 

S (* statements *) 

END. 

LlFUNCTIONj = Llx := e;y:= uj; F := t^]|S']ni? 
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Llx := F{x)j 



Figure 6: Function call for F{a) = a + 1. 

where e is a factual parameter of the function (see the note for READ statement) 
and R = ClRk is intersection of stationary entry states for return statements in S 
if they exist and R — T' otherwise. In the term being evaluated the result of a 
function call is represented by F. 

3 Widening operator and convergence of the analysis 

Our abstract semantic domain does not satisfy the (descending) chain condition and 
therefore it requires some widening operator [51 IIUL ITT] . To guarantee the convergence 
of the abstract interpretation we should use a dual widening operator: 

• yx,y e p(£Q§) ^ X D x\/y k y D x\/y, 

• for all decreasing chains xqDxi^ . . ., the decreasing chains defined hy yo = xq, ■ ■ ■ , yt+i = 
yiSyxi+i, . . . are not strictly decreasing. 

The iteration sequence with widening is convergent and its limit is a sound approxima- 
tion of the fixpoint. 

3.1 Widening operator for ERA— grammars 

Infinite chains can appear because corresponding languages have common infinite sub- 
sets generated by cyclic derivations in grammars. The source of that in ERA is term 
identification. We can avoid this problem by imposing the constraint that grammars 
must be acyclic. Within the semilattice p(£QS)(3, £Q§, n), the subsemilattice of finite 
languages generated by such grammars satisfies the chain condition, but such languages 
are not expressive enough. Our solution is the following. Grammars are not originally 
restricted but if in course of abstract interpretation the grammar size becomes greater 
than some parameter, then "harmful" cycles must be destroyed. To this end we remove 
grammar rules participating in cyclic derivations. Correctness of this approximation of 
intersection follows from Lemma |51 

^Notice that sets of term equalities of a special form corresponding to these languages were used 
by V. Sabelfeld to develop effective algorithms of recognizing equivalence for some classes of program 
schemata .39n40l . 
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Detecting such rules is no simpler than the "minimum- feedback-arc/vertex-set" 
problem (MFAS or MFVS) if we consider the grammars as directed graphs. These 
sets are the smallest sets of arcs or vertices, respectively, whose removal makes a graph 
acyclic. We suppose that the "feedback vertices" choice is more natural for our purposes. 
In the general case this problem is !NP-hard, but there are approximate algorithms that 
solve this problem in polynomial |41) or even linear |37) time. Consideration of weighted 
digraphs makes it possible to distinguish grammar rules with respect to their worth for 
accuracy of the analysis algorithm. However, perspectives of this approach are not clear 
now for complexity /precision reasons of such algorithms. For example, proposes 
an algorithm for weighted FVS-problem requiring 0{n? ^{n) log^ n) time where ^lin) is 
complexity of matrix multiplication. 




Cyclomatic graph for the grammar G 

Figure 7: FVS-transformation. 
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Our widening operator for the analysis of equality relationships is defined in the 
following way. A vertex set of the cyclomatic graph^ of the grammar G is a set of 
functional symbols existing in G. An arc (/, g) belongs to its arc set if G contains rules 
A /(..., B, .. .) and B ^ g{. . .) . A transformation of a cyclomatic graph which 
involves detecting some FVS (it can be an upper approximation of a minimal feedback 
set) and removing all vertices from the FVS is said to be an FVS-transformation 
(an example is shown in Figure [T)). Let i\Fvs be a language obtained from L by 
FVS-transformation applied to the grammar generating L. We define 

r L(Gi)Vvs n i(G2) if |G2|>|Gi|>d, 
L{Gi)yL{G2) = I L(Gi) n L(G2)\pvs if |Gi| > IG2I > d, 
[ L{Gi) n L{G2) otherwise, 

where d is a user-defined parameter. It is reasonable to choose this parameter, depending 
on number of variables of analyzed programs, as a linear function with a small factor of 
proportionality. Notice that in this case the lengths of appearing chains linearly depend 
on number of variables living simultaneously. 

3.2 Divergence of the analysis 

Is the widening operator, being rather complex, really needed for the analysis of equality 
relationships? Are there programs which, being analyzed, generate infinite chains of 
semantic properties? It should be mentioned that constructing such program examples 
has been a problem for a long time. In we stated our belief that their existence seems 
hardly probable. These attempts failed, because they concentrated on constructing an 
example with completely non-interpretable functional symbols, i.e. in the frame of the 
"pure" theory of program schemata. 

As already noticed, we can widely vary the interpretability of the analysis algorithm. 
In order to construct an example, it will suffice to use the following rule of completion: 

if {ti = t2) = TRUE e L then Co{L) = L^h = ^2!. 

We consider the following example: 



x:=f(y); 

if f(x)=f(y) then 
while y=f(g(y)) do 

y:=g(y) 

end 
end 

program scheme 



x:=sign(y); 

if sign(x)=sign(y) then 
while y=sign(abs(y)) do 

y:=abs(y) 
end 
end 

"real-world" program 



The properties computed at the body entry belong to an infinite decreasing chain. 
On Figure |8] a state Le describes properties valid before cycle execution; states Li 

*A graph represents cyclic derivations in the grammar. The author did not find another appropriate 
name for this object in the Computer Science and Discrete Mathematics literature. 
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L2 



Figure 8: The case of divergence of the analysis. 

and 1/2 describe properties at the entry of the cycle body for first and second iteration, 
respectively. It is easy to see that LinL2 coincides with except in the equality 
relationships containing terms generated by g* . Therefore every time we obtain the 
next state, the functional element g* is absent and the sub-net placed in the dashed box 
will repeat more and more times. 

To obtain a "real-world" program from this program scheme, we interpret the func- 
tional symbols in the following manner: / = sign and g = abs. We would like to point 
out the following interesting property. Execution of this piece of code (i.e., its behavior 
determined with the standard semantics) diverges only for two values of y: and 1. 
At the same time the analysis algorithm (i.e. execution of the piece of code under our 
nonstandard semantics) is always divergent on condition that a widening operator is 
not used and the assumption on interpretation mentioned above holds. 

Is this program actually real-world? The reader should decide that by himself but 
we would like to underline the following^. On the one hand, the interpretability of the 
analysis algorithm can be varied in wide ranges and, on the other, we are not able to 
prove formally the impossibility of such behavior of the analyzer under the considered 
interpretation. So, we can choose either a lean analysis using acyclic grammars only or 
another one using arbitrary grammars and some widening operator. 

^The penetrating reader may notice that this program to be considered as human written is really 
stupid (it can be slightly intellectualized if we interpret g as "add i"). But for automatic generators of 
programs such a code does not seem improbable. 
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3.3 Complexity of the analysis 



In [TSj we pointed out the following upper bound on time for the algorithm of ERA: 
0{nmG^g^^), where n is program size, m is maximum of number of program variables 
existing at a time, and Gmax is maximum of sizes of grammars appearing in course 
of the analysis. Due to our construction of widening operator (namely, choice of the 
parameter d linearly depended on m) we can assume that Gmax = 0(m). 

This bound can be deduced with help of Theorem 6 in The theorem states 
that for the recursive strategy of chaotic iteration maximum complexity is 



where h is maximum length of increasing chains built by a widening operator, C is set 
of control program points, (5(c) is depth of the control point c in hierarchy of nested 
strongly connected components of the control flow graph containing c, and W is set of 
vertices where a widening operator is applied during the analysis. 

For well-structured programs we can assume that maximum depth of nested loops 
does not depend on program size and is bounded by some constant. By (**) we conclude 
that number of algorithm steps does not exceed 0{nm). Since time complexity of 
all operations used in the analysis are estimated by G^ax obtain 0{nmG^ax) (o'' 
0{nm^)) upper bound. Notice that to improve the results of the analysis it is possible 
to use rich semantic completion and more precise FVS-algorithms that have more than 
quadratic time complexity. 

However, experimental results show that an approximation of a fixed point for the 
heads of cycle bodies is usually attained after at most two iterations and time complexity 
of the analysis is proportional to nGmax- Also, the user can turn off checking a threshold 
after which widening is started. In this case, he (consciously) admits some chance that 
the analysis diverges but we believe that this chance is not too big. 

It is easy to see that the space complexity of the equality relationship analysis is 
0{nGmax) and it is essentially depended on the number of variables. We estimate 
the actual space requirements as 1.5-2.0 Mb per 1000 program lines for middle-size 
programs. 

4 Processing of invariants and experimental results 
4.1 Usage of ERA— invariants 

ERA produces some set of invariants involving program terms which can be useful 
at different steps of program development and processing: debugging, verification (for 
that the invariants are interesting themselves), specialization, and optimization. The 
automatic prover mentioned above can be used at step of post-processing results of the 
analysis. 

We notice that the analyzer can tell the user useful information both at the stage 
of analyzing (this means that it is possible that there exist execution traces where such 
computational states appear; we mark with -I- properties which can be detected at this 





(**) 
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stage) and at the stage of processing of results of the analysis (these properties hold for 
each execution trace leading to this program point). We shall briefly list some program 
properties that can be extracted from computation states Lin and Lout being for a 
statement S the input and output states respectively. 

+ Variable x has an indefinite value if Lin contains x — lu. 

+ Error in evaluation of an expression: division by zero, out of type ranges, nil-pointer 
dereferencing, etc. 

— S is inaccessible if Lin = T'. This information can correspond to different properties 

of program execution: potentially infinite cycles and recursive calls, dead branches 
of conditional statements, useless procedural definitions, etc. 

— Assignment statement v:=exp is redundant if Lout contains v = v' where v' is the 

variable associated with v. 

— Unused definitions (constants, variables, types). 

— Constant propagation. Notice that ERA can detect that an expression is constant 

not only when constants for all variables in this expression are known. 

— More general: for some expression there exists an expression that is equal to the 

original one and calculated more efficiently (with respect to an given criterion 
time/space and target computer architecture). 

Obviously, this list is not complete and there are many other properties which can 
be extracted from the invariants. For example, we can consider systems of equa- 
tions/inequalities contained in the gathered invariants and try to solve them to derive 
more precise ranges for values of expressions or the inconsistency of this computational 
state. 

Apart from the automatic mode when invariants are processed automatically, we 
provide an interactive mode to visualize results of our analysis in a hypertext system. 
HyperCode presented in [71 13| is an open tunable system for visualization of properties 
of syntactic structures. There are two cases: visualization of all properties detected in 
the automatic mode and the user-driven processing and visualization of properties. 

The experiments show that not all program properties of interest can be automat- 
ically extracted out of the computed invariants. It is not judicious to consider many 
particular cases and to hardly embed them into the system. Instead, the system facil- 
itates the specification of the user request with some friendly interface. He chooses a 
program point and an expression and obtains those and only those equality relation- 
ships, valid at this point, where this expression occurs as a super- or sub-term. 

4.2 Program examples 

An example of a program is presented below. The properties detected by the analyzer 
are indicated in comments. 
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program 


length (lines) 


size (bytes) 




M2Mix 


ERA 


improv. 


M2Mix 


ERA 


improv. 


KMP 


167 


133 


20.35% 


2996 


2205 


26.4% 


Lambert 


361 


326 


9.7% 


6036 


2564 


57.5% 


Automaton 


37 


35 


5.4% 


969 


926 


4.5% 




87 


77 


11.5% 


1647 


1432 


13.05% 


Ackerman 


64 


62 


3.1% 


1384 


1322 


4.5% 




average 


10.01% 


average 


21.19% 



Table 2: Comparison ERA and M2Mix. 



var x,y,z: integer; 
procedure P(a,b: integer) :integer; 



begin 

return a+b 
end P; 
begin 

Read(x); 
while x<0 do 
Read(x); 
X := x+1; 
z := x+z; 
y := x+1; 
if x=0 then 

z := y; 
else 

z := x+1; 

X := y; 
end; 

Write( P(y,z) ) 
end; 

X := z div (y - z); 
Write (x) 
end. 



parameters are always equal*) 
*expression can be simplified: 2*a*) 



(*variable z might be uninitialized*) 

(*r-value can be simplified: z:=l*) 
(*r-value can be simplified: z:=y*) 

(*call can be transformed: Write(2*y)*) 

*arithmetical error*) 
*inaccessible point*) 



On basis of the analysis, this program can be transformed into the following: 

var x:integer; 
begin 

Read(x); 
while x<0 do 

Read(x); x := x+2; Write(2*x) 
end 

ERROR_EXCEPTION; 
end. 



In Table [2] we present some results of optimization based on our analysis of resid- 
ual programs generated by M2Mix specializer |^ I33| . To compile these examples, we 
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used XDS Modula/Oberon compiler v. 2. 30 ^U'. The following programs have been 
investigated: 

• KMP — the "naive" matching algorithm specialized with respect to some pattern; 
the residual program is comparable to Knuth, Morris, and Pratt's algorithm in 
efficiency, (see also Appendix). 

• Lambert — a program drawing Lambert's figure and specialized with respect to 
number of points. 

• Automaton — an interpreter of a deterministic finite-state automaton specialized 
with respect to some language. 

• Int Pit, — an interpreter of MixLan specialized with respect to a program 
computing Fibonacci numbers. 

• Ackerman — a program computing some values of Akcerman's function and 
specialized with respect to its first argument. 

Let us comment briefly on the obtained results. Reducing length of a program can 
be considered as reducing number of operators and declarations. In these examples the 
optimizing effect was typically attained by the removal of redundant assignments, dead 
operators, unused variables and the reduction of operator strength. The only exception 
is KMP program characterized by high degree of polyvariance (roughly speaking it 
means presence of deep-nested conditional statements) and an active usage of array 
references. Here some IF-statements with constant conditions and redundant range 
checks were eliminated. Notice that the last optimizing transformation is very important 
for Modula-like languages where such checks are defined by the language standard. Such 
notable optimizing effect for the Lambert program is explained by deep reduction of 
power of floating-point operations which cannot be achieved by optimizing techniques 
now used in compilers. Since Automaton and Ackerman programs are quite small, 
their optimization gives conservative results. However, they would be better for the 
Ackerman program if the implementation of ERA were context-sensitive. Substantial 
speed-up of these optimized programs was not obtained (it was less than 2%) and this 
is not surprising since the great bulk of specializers take it as a criterion of optimality. 

These experiments show that an average reduction of size of residual programs is 20- 
25%. Because the case of KMP program seems to be the most realistic^", we suppose 
that such improvement can be achieved in practice for real-world programs and it will 
be increased for large residual programs with a high degree of polyvariance and active 
usage of arrays and float-point arithmetics. It is the author opinion that the analysis 
of automatically generated (from high-level specifications as well) programs is the most 
promising direction of its application, especially in the context-sensitive implementation 
of ERA. 

^"Unfortunately our experiments were not exhaustive enough since the partial evaluation is not 
involved yet in real technological process of the software development and hence finding large resudial 
programs is a hard problem. 
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Appendix. Analysis of KMP 



The appendix presents results of application of ERA to KMP program generated by 
the specializcr M2Mix. This program is a specialization of a program implementing 
the naive pattern matching Match(p,str) with respect to the pattern p="ababb". 
The invariants are written as comments at program points where they hold. We can 
conclude that: 

• The target string necessarily ends with and the variable Is is equal to the 

string length (line 10). 

• Every time when some element of str (lines 20, 31, 42, 53, 58, 67, 72, 78, 86, 108, 
113, 129, 140, 151, 162) is used in second LOOP, the value of its index expression 
does not exceed the value of the variable Is. The same is true for the value of a 
variable before the increment statements INC(s) (lines 23, 34, 45, 62, 81, 89, 94, 
98, 103, 116, 120, 132, 143, 154, 165). Therefore, it suffices to check that a value 
of Is is not beyond the ranges determined by the type _TYPE354a04 during 
input of the target string (line 8). So, in the second cycle all range checks can be 
eliminated. 

• The assignment _cfg_counter:=0 is redundant (line 24). 

• Conditions str[s+2]='a' and str[s]='a' are always false (lines 78 and 86, respec- 
tively) because two different constants are equal. So, the code of THEN-branches 



• The conditions at the lines 63, 68, 74, 82, 104, 109 are false, too. However, 
automatic detection of these properties are not as easily as the previous. 

Using this semantic information, it is possible to build a new program functionally 
equivalent to Match("ababb" ,str). In text of the program given below the underlined 
code can be eliminated. 

MODULE Match; 

FROM FIO IMPORT File,Open,ReadChar,WriteInt,stdout; 
VAR _cfg.counter : CARDINAL; str_file : File; 
TYPE .TYPE354a04 = [0..20]; 

TYPE .TYPE355004 = ARRAY .TYPE354a04 OF CHAR; 
VAR str : .TYPE355004; Is,s : .TYPE354a04; 
BEGIN 

1: str_file := Open("target.dat"); 
2: Is := 0; 

3: LOOP 

4! str[ls] := ReadChar(str_file); 



is dead. 



5: 



IF (str[ls]='#') THEN 



{*str[ls\ ='#'*) 



EXIT 
ELSE 



{*str[ls\ ^'#'*) 



9: 



S: 



INC (Is) 
END 



10: END; 
11: s := 0; 

12: _cfg_counter := 0; 



{*str[ls\ ='#'*) 



(*s = -cfg-counter = 0*) 
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13: LOOP 

14: CASE _cfg.counter OF 

15: I : {*.cfgjx>unter = 0*) 

16: IF ((s+0)>ls) THEN (*s > Is*) 

17: Writelnt(stdout,(-I),0); 

18: EXIT 

19: END; (*0 <ls,s < Is*) 

20: IF (str[(s+0)]='a') THEN {*str[s] ='a', <ls,s < Is*) 

21: _cfg_counter := 1 

22: ELSE (*0 <ls,s < Is, str[0] ^'a'*) 

23: INC(s); {*-cfg -Counter = 0*) 

24: _cfg_counter := 

25: END (*0 <ls,s < Is*) 

26: I 1 : (*-cfg -Counter = 1*) 

27: IF ((s+l)>ls) THEN (*s + 1 > Is*) 

28: Writelnt(stdout,{-I),0); 

29: EXIT 

30: END; (*s + 1 < Is*) 

31: IF (str[(s+l)]='b') THEN {*str[s + 1] ='h' *) 

32: _cfg_counter := 2 

33: ELSE {*str[s + 1] j^'b'*) 

34: INC(s); {*str[s\ i^'b' , s < Is*) 

35: _cfg_counter := 

36: END 

37: I 2 : {*-cfg -Counter = 2*) 

38: IF ((s+2)>ls) THEN (*s + 2 > Is*) 

39: Writelnt(stdout,(-I),0); 

40: EXIT 

41: END; (*s + 2 < Is*) 

42: IF (str[(s+2)]='a') THEN {*str[s + 2] ='a'*) 

43: _cfg_counter := 3 

44: ELSE {*str[s + 2] ^'a'*) 

45: INC(s); {*str[s + 1] t^V, s + 1< Is*) 

46: _cfg_counter := 4 

47: END 

48: I 3 : {*-cf g -Counter = 3*) 

49: IF ((s+3)>ls) THEN (*s + 3 > Is*) 

50: Writelnt(stdout,(-I),0); 

51: EXIT 

52: END; (*s + 3 < Is*) 

53: IF (str[(s+3)]='b') THEN (*str[s + 3] ='6'*) 

54: IF ((s+4)>ls) THEN {*s + A>ls,s + Z < Is*) 

55: Writelnt(stdout,(-I),0); 

56: EXIT 

57: END; (*s + 4 < Is*) 

58: IF (str[(s+4)]='b') THEN {*str[s + 3] = str[s + 4] ='6'*) 

59: WriteInt(stdout,s,0); 

60: EXIT 

61: ELSE (*str[s + 3] ='6',str[s + 4] ^'6',s + 4 < is*) 

62: INC(s); (*sir[s + 2] ='6',str[s + 3] 7^'6',s + 3 < is*) 

63: IF ((s+0)>ls) THEN (*s>ls,s + i <ls*) 

64: Writelnt(stdout,(-I),0); 

65: EXIT 

66: END; [*str[s + 2] ='b',str[s + 3] ^'b',s + 3 < Is*) 

67: lF^r[(s+0)]='a') THEN {*str[s\ ='a',str[s + 2] ='b',str[s + 3] ^'6', 

s + 3 < Is*) 

68: IF ((s+l)>Is) THEN {*s + l>ls,s + Z<ls*) 

69: WriteInt(stdout, (-1) ,0) ; 

70: EXIT 

71: END; (*the same as at line 67*) 
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72: IF (str[(s+l)]='b') THEN {*str[s] ='a', sir [s + 1] ='b',str[s + 2] ='6', 

73: str[s + 3] y^'b', s + 3 < Is*) 

74: IF ((s+2)>ls) THEN {*s + 2 > ls,s + 3 < Is*) 
75: Writelnt(stdout,(-I),0); 

76: EXIT 

77: END; (*str[s]='a',str[s + l]='b',str[s + 2]='b', 

str[s + 3] y^'b' , s + 3 < Is*) 
78: IF (str[(s+2)]='a') THEN (*inaccessiblc point*) 

79: _cfg_counter := 3 

80: ELSE (*str[s] ='a',str[s + 1] ='b',str[s + 2] ='6', 

str[s + 3] 7^'fe',s + 3 < Is*) 

81: INC(s); (*str[s - 1] ='a' , str[s] ='fo', str[s + 1] ='6', 

str[s + 2] 7^'6',s + 2 < Is*) 

82: IF ((s+0)>ls) THEN {*s >ls,s + 2< Is*) 

83: WritGlnt(stdout,(-l),0); 

84: EXIT 

85: END; {*str[s - 1] ='a' ,str[s] ='b' ,str[s + l] ='b', 

str[s + 2] T^'b' , s + 2 < Is*) 
86: IF (str[(s+0)]='a') THEN (*inaccessible point*) 

87: _cfg_counter:=14 

88: ELSE {*str[s - 1] ='a', str[s] ='b',str[s + 1] ='6', 

str[s + 2] ^'b',s + 2 < Is*) 
89: INC(s); {*strls - 2] ='a',str[s - 1] ='b', str[s] ='b' , 

str[s + l] j^'b',s + 1 < Is*) 

90: _cfg_counter:=4 
91: END 

92: END (*str[s - 2] ='a', str[s - 1] ='b', str[s] ='6', 

str[s + 1] ^'6',s + 1 < Is*) 

93: ELSE (*str[s] ='a',str[s + 1] ^^V, str[s + 2] ='6', 

str[s + 3] 7^V,s + 3 < Is*) 

94: INC(s); (*str[s - 1] ='o', str[s] ^'6', str[s + 1] ='b' , 

strls + 2] ^'b',s + 2 < Is*) 

95: _cfg_counter ;= 12 

96: END 

97: ELSE {*str[s] ='a', str[s + 2] ='6', str[s + 3] 

s + 3 < is*) 

98: INC(s); (*str[s - 1] =V,str[s + 1] ='6',str[s + 2] 

s + 2 < is*) 

99: _cfg_counter ;= 12 

100: END 
101: END 

102: ELSE {*str[s + 3] ^'b',s + 3 < Is*) 

103: INC(s); {*str[s + 2] 7^'6', s + 2 < /s*) 

104: IF ((s+0)>ls) THEN {*s >ls,s + 2< Is*) 

105: Writeint (stdout , (- 1 ) , 0) ; 

106: EXIT 

107: END; {*str[s + 2] ^'b',s + 2 < Is*) 

108: IF (str[(s+0)]='a') THEN {*str[s] ='a',str[s + 2] j^'b',s + 2 < Is*) 

109: IF ((s+l)>ls) THEN {*s + l>ls,s + 2 <ls*) 

110: Writelnt(stdout,(-I),0); 

111: EXIT 

112: END; {*str[s] ='a',str[s + 2] ^'b',s + 2 < Is*) 
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113: IF (str[(s+l)]='b') THEN {*str[s] ='a',str[s + 1] ='b',str[s + 2] ^'b' , 

s + 2 < Is*) 

114: _cfg_counter := 2 

115: ELSE {*str[s] ='a',str[s + 2] ^'6', s + 2 < Is*) 

116: INC(s); {*str[s-l]='a',strls + l]^'b',s + l<ls*) 

117: _cfg_counter := 10 

118: END 

119: ELSE {*str[s + 2] jt'b',s + 2 < Is*) 

120: INC(s); {*str[s + 1] ^'6', s + 1< Is*) 

121: _cfg_counter := 10 

122: END 

123: END 

124: I 4 : {*.cfg -Counter = 4*) 

125: IF ((s+0)>ls) THEN {*s > Is*) 

126: Writelnt(stdout,(-I),0); 

127: EXIT 

128: END; (*s < Is*) 

129: IF (str[(s+0)]='a') THEN l*str[s\ ='a',s< Is*) 

130: _cfg_counter := 1 

131: ELSE {*str[s]^'a',s <ls*) 

132: INC(s); {*str[s - 1] , s < Is*) 

133: _cfg_counter := 

134: END 

135: I 10: {*-cfgjcounter = 10*) 

136: IF ((s+0)>ls) THEN {*s > Is*) 

137: Writelnt(stdout,(-I),0); 

138: EXIT 

139: END; (*s < Is*) 

140: IF (str[(s+0)]='a') THEN {*str[s] ='a' , s < Is*) 

141: _cfg_counter := 1 

142: ELSE (*str[s]^'a',s<ls*) 

143: INC(s); {*str[s - 1] ^'o', s < Is*) 

144: _cfg_counter := 

145: END 

146: I 12: (*-cfg .counter = 12*) 

147: IF ((s+0)>ls) THEN {*s > Is*) 

148: Writelnt(stdout,(-I),0); 

149: EXIT 

150: END; (*s < Is*) 

151: IF (str[(s+0)]='a') THEN {*str[s] ='a',s< Is*) 

152: _cfg_counter := 14 

153: ELSE (*str[s] yt'a',s < Is*) 

154: INC(s); {*str[s - 1] =^'a',s < Is*) 

155: _cfg_counter := 4 

156: END 

157: I 14; (*-cfg .counter = 14*) 

158: IF ((s+l)>ls) THEN (*s + 1 > Is*) 

159: Writelnt(stdout,(-I),0); 

160: EXIT 

161: END; (*s + 1 < Is*) 

162: IF (str[(s+l)]='b') THEN {*str[s + 1] ='b',s + 1 < Is*) 

163: _cfg_counter ;= 2 

164: ELSE {*str[s + 1] 7^'6', s + 1 < Is*) 

165: INC(s); {*str{s\it'b',s <ls*) 

166: _cfg_counter := 4 

167: END 
168: END 



END 
END Match. 
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